Class: Google::Auth::ExternalAccount::PluggableAuthCredentials

Inherits:
Object
  • Object
show all
Extended by:
CredentialsLoader
Includes:
BaseCredentials, ExternalAccountUtils
Defined in:
lib/googleauth/external_account/pluggable_credentials.rb

Overview

This module handles the retrieval of credentials from Google Cloud by utilizing the any 3PI provider then exchanging the credentials for a short-lived Google Cloud access token.

Constant Summary collapse

ENABLE_PLUGGABLE_ENV =

constant for pluggable auth enablement in environment variable.

"GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES".freeze
EXECUTABLE_SUPPORTED_MAX_VERSION = 
1
EXECUTABLE_TIMEOUT_MILLIS_DEFAULT = 
30 * 1000
EXECUTABLE_TIMEOUT_MILLIS_LOWER_BOUND = 
5 * 1000
EXECUTABLE_TIMEOUT_MILLIS_UPPER_BOUND = 
120 * 1000
ID_TOKEN_TYPE = 
["urn:ietf:params:oauth:token-type:jwt", "urn:ietf:params:oauth:token-type:id_token"].freeze

Constants included from CredentialsLoader

CredentialsLoader::ACCOUNT_TYPE_VAR, CredentialsLoader::AWS_ACCESS_KEY_ID_VAR, CredentialsLoader::AWS_DEFAULT_REGION_VAR, CredentialsLoader::AWS_REGION_VAR, CredentialsLoader::AWS_SECRET_ACCESS_KEY_VAR, CredentialsLoader::AWS_SESSION_TOKEN_VAR, CredentialsLoader::CLIENT_EMAIL_VAR, CredentialsLoader::CLIENT_ID_VAR, CredentialsLoader::CLIENT_SECRET_VAR, CredentialsLoader::CLOUD_SDK_CLIENT_ID, CredentialsLoader::CREDENTIALS_FILE_NAME, CredentialsLoader::ENV_VAR, CredentialsLoader::GCLOUD_CONFIG_COMMAND, CredentialsLoader::GCLOUD_POSIX_COMMAND, CredentialsLoader::GCLOUD_WINDOWS_COMMAND, CredentialsLoader::NOT_FOUND_ERROR, CredentialsLoader::PRIVATE_KEY_VAR, CredentialsLoader::PROJECT_ID_VAR, CredentialsLoader::REFRESH_TOKEN_VAR, CredentialsLoader::SYSTEM_DEFAULT_ERROR, CredentialsLoader::WELL_KNOWN_ERROR, CredentialsLoader::WELL_KNOWN_PATH

Constants included from ExternalAccountUtils

ExternalAccountUtils::CLOUD_RESOURCE_MANAGER

Constants included from BaseCredentials

BaseCredentials::EXTERNAL_ACCOUNT_JSON_TYPE, BaseCredentials::IAM_SCOPE, BaseCredentials::STS_GRANT_TYPE, BaseCredentials::STS_REQUESTED_TOKEN_TYPE

Constants included from BaseClient

BaseClient::AUTH_METADATA_KEY

Instance Attribute Summary collapse

Attributes included from BaseCredentials

#access_token, #expires_at, #universe_domain

Attributes included from BaseClient

#logger

Instance Method Summary collapse

Methods included from CredentialsLoader

authorized_user_env_vars?, from_env, from_system_default_path, from_well_known_path, interpret_options, load_gcloud_project_id, make_creds, service_account_env_vars?

Methods included from ExternalAccountUtils

#normalize_timestamp, #project_id, #project_number, #service_account_email

Methods included from BaseCredentials

#expires_within?, #fetch_access_token!, #is_workforce_pool?

Methods included from Helpers::Connection

connection, default_connection, default_connection=

Methods included from BaseClient

#apply, #apply!, #expires_within?, #needs_access_token?, #notify_refresh_listeners, #on_refresh, #updater_proc

Constructor Details

#initialize(options = {}) ⇒ PluggableAuthCredentials

Initialize from options map.

Parameters:

  • (defaults to: {})

    Configuration options

Options Hash (options):

  • :audience (String)

    Audience for the token

  • :credential_source (Hash)

    Credential source configuration that contains executable configuration

Raises:

  • If executable source, command is missing, or timeout is invalid



50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
# File 'lib/googleauth/external_account/pluggable_credentials.rb', line 50

def initialize options = {}
  base_setup options

  @audience = options[:audience]
  @credential_source = options[:credential_source] || {}
  @credential_source_executable = @credential_source[:executable]
  if @credential_source_executable.nil?
    raise InitializationError,
          "Missing excutable source. An 'executable' must be provided"
  end
  @credential_source_executable_command = @credential_source_executable[:command]
  if @credential_source_executable_command.nil?
    raise InitializationError, "Missing command field. Executable command must be provided."
  end
  @credential_source_executable_timeout_millis = @credential_source_executable[:timeout_millis] ||
                                                 EXECUTABLE_TIMEOUT_MILLIS_DEFAULT
  if @credential_source_executable_timeout_millis < EXECUTABLE_TIMEOUT_MILLIS_LOWER_BOUND ||
     @credential_source_executable_timeout_millis > EXECUTABLE_TIMEOUT_MILLIS_UPPER_BOUND
    raise InitializationError, "Timeout must be between 5 and 120 seconds."
  end
  @credential_source_executable_output_file = @credential_source_executable[:output_file]
end

Instance Attribute Details

#client_idObject (readonly)

Will always be nil, but method still gets used.



41
42
43
 
# File 'lib/googleauth/external_account/pluggable_credentials.rb', line 41

def client_id
  @client_id
end

Instance Method Details

#retrieve_subject_token!String

Retrieves the subject token using the credential_source object.

Returns:

  • The retrieved subject token

Raises:

  • If executables are not allowed, if token retrieval fails, or if the token is invalid



78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
 
# File 'lib/googleauth/external_account/pluggable_credentials.rb', line 78

def retrieve_subject_token!
  unless ENV[ENABLE_PLUGGABLE_ENV] == "1"
    raise CredentialsError,
          "Executables need to be explicitly allowed (set GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to '1') " \
          "to run."
  end
  # check output file first
  subject_token = load_subject_token_from_output_file
  return subject_token unless subject_token.nil?
  # environment variable injection
  env = inject_environment_variables
  output = subprocess_with_timeout env, @credential_source_executable_command,
                                   @credential_source_executable_timeout_millis
  response = MultiJson.load output, symbolize_keys: true
  parse_subject_token response
end